From 69510ad40debc1fc64cddf18c6be6c51ffb32594 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 7 May 2020 17:39:05 +0200 Subject: [PATCH] Add support for FileDelete events (event id 23) to sysmon module FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes #18094 --- CHANGELOG.next.asciidoc | 2 + winlogbeat/docs/fields.asciidoc | 18 +++++ .../winlogbeat/module/sysmon/_meta/fields.yml | 8 ++ .../module/sysmon/config/winlogbeat-sysmon.js | 58 ++++++++++++++ x-pack/winlogbeat/module/sysmon/fields.go | 2 +- .../test/testdata/sysmon-11-filedelete.evtx | Bin 0 -> 69632 bytes .../sysmon-11-filedelete.evtx.golden.json | 74 ++++++++++++++++++ 7 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 27b1701f875..64b008b97e8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -44,6 +44,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094] + *Functionbeat* diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 3763ebc12db..092ad7516d1 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -7572,6 +7572,24 @@ type: keyword -- +*`sysmon.file.archived`*:: ++ +-- +Indicates if the deleted file was archived. + +type: boolean + +-- + +*`sysmon.file.is_executable`*:: ++ +-- +Indicates if the deleted file was an executable. + +type: boolean + +-- + [[exported-fields-winlog]] == Winlogbeat fields diff --git a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml index 8ba29416eb4..ff9db37db91 100644 --- a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml +++ b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml @@ -8,3 +8,11 @@ - name: sysmon.dns.status type: keyword description: Windows status code returned for the DNS query. + + - name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. + + - name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 2e449580d87..d9d454ec1fe 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -1392,6 +1392,63 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 23 - FileDelete (A file delete was detected). + var event23 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["deletion"], + }, + }) + .Convert({ + fields: [ + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.RuleName", + to: "rule.name", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addUser) + .Add(splitHashes) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) @@ -1436,6 +1493,7 @@ var sysmon = (function () { 20: event20.Run, 21: event21.Run, 22: event22.Run, + 23: event23.Run, 255: event255.Run, process: function (evt) { diff --git a/x-pack/winlogbeat/module/sysmon/fields.go b/x-pack/winlogbeat/module/sysmon/fields.go index eeb184deb3b..8fef032555d 100644 --- a/x-pack/winlogbeat/module/sysmon/fields.go +++ b/x-pack/winlogbeat/module/sysmon/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSysmon returns asset data. // This is the base64 encoded gzipped contents of module/sysmon. func AssetSysmon() string { - return "eJxUzrFuwzAQA9BdX0Fkjz9AQ6fOXVKgs+qjEaG2zr07N9DfF1WTISsJEu+ML/YM775pS0DUWJlxuowAm8qx8pQAoc9W96jaMl4SALxf6UQxIq4Ef9gCS+UqDt8516XOCB3l092UAOPK4sz4ZJSE+y6ncXxGKxsfqkmaTx4lDh8tEH1n/oPf1OSePfk+ahO9Of5XmFUIYxzWKFjUhun17YLvg9an9BsAAP//OQhWnA==" + return "eJysjrFOKzEQRXt/xVX6+ANcvOo1NDRBokSOfVcZ4djBM5uwf49iEqGVIiraGd1zzhbvXAJ00WOrDjCxwoDNbhxwbHku3DggU1OXk0mrAf8cALwcqETshB0InlkNk7BkhZ6YZJIEa+O5wnkHdBZGZcCeFh1uu+AGeIsaj7xX+VzVq0WbdXwBW04M1/BL6/l2W/W9Ss3tovheIbVMdNrcKzOm1kfT/+cdPmb2xT+0TlLoY08HOTOvxPvWCmN9JH6qWVI0KmQaksxCu0qlEJeouBN/kYq+8ZNptrgv/ENzxQ/Wu68AAAD//xH3plw=" } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx new file mode 100644 index 0000000000000000000000000000000000000000..4258ea01dd7caab6fc52b32362eccf8777dc8098 GIT binary patch literal 69632 zcmeI$TWl0n7zglgW@o3X=z2or58)Mid=*=YNag{+TGgSB9|yt zf*437K6pt;jN#3gn23=mF)=avWP(0vL=zv@|99pLy%<7BAN1iro7uUX zZ_ed+F4Jz;@L>1Q@PN$TTzg{zM@M2J70&FCIbT=IEB-L&Oqc-$C_n)UP=Epypa2CZ zKmiI+fC9G^=o%jE*puCd|MA1^X2%Il#*YG%Wg?GE9;w#Lxold_*wIs$rsuK1$IlFb z$RBZ$%ii=9kv804iJu{Ece`+lXHKC^-4>us-Tt)kXYGBxcN+HwXVqsFuK%(>lH5D1 zj1ilcKKr3PUys;s_xKVt5#+B<7ix<&XQNQK3`0}(IM9u|MA_jP-SloenMLl}; za3GsZ>HASuKcdEv+KRn98jNe-_GAMpJAy=!R7xEG89N?osyum8#?6yRN=rJHiOG6| z9kLPE`%0!^t&vWoJ&fJgA*b2YTujJQ$f6HqLumexse;m_Jn`LBOnlENlLv4k8tL;& zOJti38-i38X>O`aJP&=m5Es!9@4pb2bqLhH8a6?qL9Wcl#e6$XyAFG@#q`BK6XI%t zj#T49r+{uBFZ5+2I#9bsiL^LJbBfDiTtqWx@ArYMMe;%PTMmx>aM#edRC!?Egp0Rq zjw{|QL!m>)v;(07sDO4+KVl4z&LSOCj~!0T=)veA@c2?0a}pRWQ)@|gEICbkGcwdF zYfVCVH=9$wNsUF2&*q%7_+`&p#_g0}hyqkDG$R?(NZfpf^S9lK83A zj@exZ%;RHg5lG0+$gQ4G-zMD}4IWlg=c(<;RA zoMLe`0(4c=j$4rp4AcmQf>th^D{kCLgQHJ&qb$v%Ahl+~HsZS$_nJh-HKS-L{-7>E zr)uYnBRzx^xgQaJv?>p-^JObqre)aHmCKzmFI6dvJh=m*7=UKSc*ScgY)c?j5=bRd zG0<_QdmsrDhsVwR23%E0T6%CS^A;iIZhY)E@#3n}lTToEd=F!<4XY+zhGvUnO6V5X zqSvF&GncGd*^YZz^mPt{KaX~Y%gzX{v+`Wq==P;w|I+c*I{*66slR`|-RJAg>{AMz zCE?iA^&(ut-~auU1ugm;>3 z`*2@Z$95d`U96++M9#yCrG;whJ=lF+72{5T5k8I@4BS{5-6Xn1J9>$IUQKOu3A(ZX zv1szTNz_PVYi+FQ`Y`9RSwlNoUfrZCX?>=~K6Bqx{{Nm1{o*EL5@@{Ut?kiKVe8}F z7+P);gGi$m*(e<&HY$#Rr!T49Xr-HshjGm|PFrc?QfB!aGjRp!M*pZw7EkIM!%h0( zlMmV_tEQgxF$nb~sIS93B1^)^dK;;AvSpN`F8LWNL!Z20%5jr{B((*)Y-&4a^il?6 zMqjtOVChQaCQDIghH?d7%>}QRE>3TD~>%F&70AlEwV#;@qXHf zMJ0n{HRengQnn$j17{t`y?55U>Yed2XhvzhaM^F#sDD7{9}fd&{k+-JI*WAi)}=Fi z@#{NRdn|8ilS7KmEnT0cB70H8QGBAwp!JR-dl9X@sFOtB;VRvLdi3MEfP8xJY@@8i z-Uz)$q_tv{w8&~{#-|PKY=c||EpEkGGrl{K+JNs)T(_IEF5K@#OcSnKP0Vs*TRuf4pa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epy zpa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+ zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O z0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC z1t>rP3Q&Lo6rcbFC_n)UP=Epy_&*4EsKm8b`(#qiT*~7-IzBI-T+!?3D5I6X>9tJU zuixA#KmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+ zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O O0SZun0u=ZU1pWabzN3r) literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json new file mode 100644 index 00000000000..1e36d89016c --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-05-07T07:27:18.722Z", + "event": { + "code": 23, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "deletion" + ] + } + }, + "file": { + "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + }, + "hash": { + "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 776 + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "name": "LOCAL SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 23, + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 11, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file